Hallo Zusammen,
ich habe ein Setup-Script geschrieben um Raspberry Pi Images auf eine SD-Karte zu übertragen und zu konfigurieren.
Ab der Zeile 418 in dem Script findet sich nachfolgender Code welcher dafür verantwortlich ist ein image mit LUKS, Dropbear und Arch zu generieren und konfigurieren.
Ich hoffe nun darauf, dass mir hier jemand weiterhelfen kann 😉
Lg 🙂
ich habe ein Setup-Script geschrieben um Raspberry Pi Images auf eine SD-Karte zu übertragen und zu konfigurieren.
Ab der Zeile 418 in dem Script findet sich nachfolgender Code welcher dafür verantwortlich ist ein image mit LUKS, Dropbear und Arch zu generieren und konfigurieren.
if [ "$encrypt_system" == "y" ]
then
# @see https://gist.github.com/gea0/4fc2be0cb7a74d0e7cc4322aed710d38
rescue_suffix=".$(date +%s).rescue"
search_hooks="HOOKS=(base udev autodetect modconf block filesystems keyboard fsck)"
replace_hooks="HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)"
mkinitcpio_path="/etc/mkinitcpio.conf"
mkinitcpio_rescue_path="$mkinitcpio_path$rescue_suffix"
search_modules="MODULES=()"
replace_modules="MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)"
root_mapper_path="/dev/mapper/root"
fstab_path="/mnt/etc/fstab"
fstab_rescue_path="$fstab_path$rescue_suffix"
crypttab_path="/mnt/etc/crypttab"
crypttab_rescue_path="$crypttab_path$rescue_suffix"
boot_txt_path="/boot/boot.txt"
boot_txt_rescue_path="$boot_txt_path$rescue_suffix"
boot_txt_delete_line=$(echo "part uuid \${devtype} \${devnum}:2 uuid" | sed -e 's/[]\/$*.^[]/\\&/g')
boot_txt_setenv_origin=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 root=PARTUUID=\${uuid} rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\"" | sed -e 's/[]\/$*.^[]/\\&/g')
boot_txt_setenv_replace=$(echo "setenv bootargs console=ttyS1,115200 console=tty0 ip=::::$target_hostname:eth0:dhcp cryptdevice=$encrypted_partition_path:root root=$root_mapper_path rw rootwait smsc95xx.macaddr=\"\${usbethaddr}\""| sed -e 's/[\/&]/\\&/g')
info "Setup encryption..." &&
question "Type in encryption password: " && read -r luks_password
question "Repeat encryption password:" && read -r luks_password_repeat
if [ "$luks_password" != "$luks_password_repeat" ]
then
error "Passwords didn't match."
fi
(
echo "pacman --noconfirm -S --needed $(get_packages "server/luks") &&"
echo "cp -v /home/$target_username/.ssh/authorized_keys /etc/dropbear/root_key &&"
echo "cp -v $mkinitcpio_path $mkinitcpio_rescue_path &&"
echo "sed -i 's/$search_modules/$replace_modules/g' $mkinitcpio_path &&"
echo "sed -i 's/$search_hooks/$replace_hooks/g' $mkinitcpio_path &&"
echo "echo \"Content of $mkinitcpio_path:\$(cat \"$mkinitcpio_path\")\" &&"
#Concerning mkinitcpio warning @see https://gist.github.com/imrvelj/c65cd5ca7f5505a65e59204f5a3f7a6d
echo "mkinitcpio -P &&"
echo "echo '$luks_password' | sudo cryptsetup -v luksFormat -c aes-xts-plain64 -s 512 -h sha512 --use-random -i 1000 $encrypted_partition_path &&"
echo "echo '$luks_password' | sudo cryptsetup -v luksOpen $encrypted_partition_path root &&"
echo "mkfs.ext4 $root_mapper_path &&"
echo "mount $root_mapper_path /mnt &&"
echo "rsync --info=progress2 -axHAX / /mnt/ &&"
echo "cp -v $fstab_path $fstab_rescue_path &&"
echo "echo $root_mapper_path' / ext4 defaults,noatime 0 1' >> $fstab_path &&"
echo "echo \"Content of $fstab_path:\$(cat \"$fstab_path\")\" &&"
echo "cp -v $crypttab_path $crypttab_rescue_path &&"
echo "echo 'root '$encrypted_partition_path' none luks' >> $crypttab_path &&"
echo "echo \"Content of $crypttab_path:\$(cat \"$crypttab_path\")\" &&"
#boot.txt just works with raspberry pi 3 @todo Needs to be implemented for arch raspbery pi 4
echo "cp -v $boot_txt_path $boot_txt_rescue_path &&"
echo "sed -i 's/$boot_txt_delete_line//g' $boot_txt_path &&"
echo "sed -i 's/$boot_txt_setenv_origin/$boot_txt_setenv_replace/g' $boot_txt_path &&"
echo "echo \"Content of $boot_txt_path:\$(cat \"$boot_txt_path\")\" &&"
echo "cd /boot/ && ./mkscr &&"
echo "umount $root_mapper_path &&"
echo "sudo cryptsetup -v luksClose root &&"
echo "exit || echo 'Error in chroot environment!' echo 'Trying to close decrypted root.'; sudo cryptsetup -v luksClose root"
) | chroot "$root_mount_path" /bin/bash || error
fi
Der Code erzeugt folgende Ausgabe auf dem Terminal:[INFO]: Setup encryption...
[QUESTION]: Type in encryption password:
test
[QUESTION]: Repeat encryption password:
test
warning: rsync-3.2.3-1 is up to date -- skipping
warning: autoconf-2.69-7 is up to date -- skipping
warning: automake-1.16.2-3 is up to date -- skipping
warning: binutils-2.35-1 is up to date -- skipping
warning: bison-3.6.4-1 is up to date -- skipping
warning: fakeroot-1.24-2 is up to date -- skipping
warning: file-5.39-1 is up to date -- skipping
warning: findutils-4.7.0-2 is up to date -- skipping
warning: flex-2.6.4-3 is up to date -- skipping
warning: gawk-5.1.0-1 is up to date -- skipping
warning: gcc-10.2.0-1 is up to date -- skipping
warning: gettext-0.21-1 is up to date -- skipping
warning: grep-3.4-1 is up to date -- skipping
warning: groff-1.22.4-3 is up to date -- skipping
warning: gzip-1.10-3 is up to date -- skipping
warning: libtool-2.4.6+44+gb9b44533-14 is up to date -- skipping
warning: m4-1.4.18-3 is up to date -- skipping
warning: make-4.3-3 is up to date -- skipping
warning: pacman-5.2.2-1 is up to date -- skipping
warning: patch-2.7.6-8 is up to date -- skipping
warning: pkgconf-1.7.3-1 is up to date -- skipping
warning: sed-4.8-1 is up to date -- skipping
warning: sudo-1.9.3.p1-1 is up to date -- skipping
warning: texinfo-6.7-3 is up to date -- skipping
warning: which-2.21-5 is up to date -- skipping
warning: uboot-tools-2020.04-1 is up to date -- skipping
warning: dropbear-2020.80-1 is up to date -- skipping
warning: mkinitcpio-utils-0.0.3-5 is up to date -- skipping
warning: mkinitcpio-netconf-0.0.5-2 is up to date -- skipping
warning: mkinitcpio-dropbear-0.0.3-6 is up to date -- skipping
there is nothing to do
'/home/alarm/.ssh/authorized_keys' -> '/etc/dropbear/root_key'
'/etc/mkinitcpio.conf' -> '/etc/mkinitcpio.conf.1601472644.rescue'
Content of /etc/mkinitcpio.conf:# vim:set ft=sh
# MODULES
# The following modules are loaded before any boot hooks are
# run. Advanced users may wish to specify all system modules
# in this array. For instance:
# MODULES=(piix ide_disk reiserfs)
MODULES=(g_cdc usb_f_acm usb_f_ecm smsc95xx g_ether)
# BINARIES
# This setting includes any additional binaries a given user may
# wish into the CPIO image. This is run last, so it may be used to
# override the actual binaries included by a given hook
# BINARIES are dependency parsed, so you may safely ignore libraries
BINARIES=()
# FILES
# This setting is similar to BINARIES above, however, files are added
# as-is and are not parsed in any way. This is useful for config files.
FILES=()
# HOOKS
# This is the most important setting in this file. The HOOKS control the
# modules and scripts added to the image, and what happens at boot time.
# Order is important, and it is recommended that you do not change the
# order in which HOOKS are added. Run 'mkinitcpio -H <hook name>' for
# help on a given hook.
# 'base' is _required_ unless you know precisely what you are doing.
# 'udev' is _required_ in order to automatically load modules
# 'filesystems' is _required_ unless you specify your fs modules in MODULES
# Examples:
## This setup specifies all modules in the MODULES setting above.
## No raid, lvm2, or encrypted root is needed.
# HOOKS=(base)
#
## This setup will autodetect all modules for your system and should
## work as a sane default
# HOOKS=(base udev autodetect block filesystems)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
# HOOKS=(base udev block filesystems)
#
## This setup assembles a pata mdadm array with an encrypted root FS.
## Note: See 'mkinitcpio -H mdadm' for more information on raid devices.
# HOOKS=(base udev block mdadm encrypt filesystems)
#
## This setup loads an lvm2 volume group on a usb device.
# HOOKS=(base udev block lvm2 filesystems)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr, fsck and shutdown hooks.
HOOKS=(base udev autodetect modconf block sleep netconf dropbear encryptssh filesystems keyboard fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, gzip compression
# is used. Use 'cat' to create an uncompressed image.
#COMPRESSION="gzip"
#COMPRESSION="bzip2"
#COMPRESSION="lzma"
#COMPRESSION="xz"
#COMPRESSION="lzop"
#COMPRESSION="lz4"
# COMPRESSION_OPTIONS
# Additional options for the compressor
#COMPRESSION_OPTIONS=()
==> Building image from preset: /etc/mkinitcpio.d/linux-aarch64.preset: 'default'
-> -k 5.8.9-2-ARCH -c /etc/mkinitcpio.conf -g /boot/initramfs-linux.img
==> Starting build: 5.8.9-2-ARCH
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [autodetect]
-> Running build hook: [modconf]
-> Running build hook: [block]
-> Running build hook: [sleep]
-> Running build hook: [netconf]
-> Running build hook: [dropbear]
Generating dss host key for dropbear ...
Unknown key type 'dss'
Usage: /usr/sbin/dropbearkey -t <type> -f <filename> [-s bits]
-t type Type of key to generate. One of:
rsa
ecdsa
ed25519
-f filename Use filename for the secret key.
~/.ssh/id_dropbear is recommended for client keys.
-s bits Key size in bits, should be a multiple of 8 (optional)
ECDSA has sizes 256 384 521
Ed25519 has a fixed size of 256 bits
-y Just print the publickey and fingerprint for the
private key in <filename>.
dropbear_rsa_host_key : sha1!! a1:7b:17:e0:43:2e:2c:d2:8e:d3:17:21:15:fb:45:4a:7f:7e:96:57
dropbear_ecdsa_host_key : sha1!! 14:7e:96:5c:1d:8e:60:bd:fb:70:21:93:d5:c7:1e:71:85:49:02:ef
-> Running build hook: [encryptssh]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux.img
bsdtar: Failed to set default locale
bsdtar: Failed to set default locale
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux-aarch64.preset: 'fallback'
-> -k 5.8.9-2-ARCH -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-fallback.img -S autodetect
==> Starting build: 5.8.9-2-ARCH
-> Running build hook: [base]
-> Running build hook: [udev]
-> Running build hook: [modconf]
-> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: wd719x
-> Running build hook: [sleep]
-> Running build hook: [netconf]
==> WARNING: Possibly missing firmware for module: rsi_sdio
==> WARNING: Possibly missing firmware for module: rsi_usb
==> WARNING: Possibly missing firmware for module: atmel
==> WARNING: Possibly missing firmware for module: at76c50x_usb
==> WARNING: Possibly missing firmware for module: rtl8723ae
==> WARNING: Possibly missing firmware for module: zd1201
==> WARNING: Possibly missing firmware for module: zd1211rw
==> WARNING: Possibly missing firmware for module: prism54
==> WARNING: Possibly missing firmware for module: p54pci
==> WARNING: Possibly missing firmware for module: p54usb
==> WARNING: Possibly missing firmware for module: orinoco_usb
==> WARNING: Possibly missing firmware for module: wcn36xx
==> WARNING: Possibly missing firmware for module: b43legacy
==> WARNING: Possibly missing firmware for module: b43
==> WARNING: Possibly missing firmware for module: ipw2100
==> WARNING: Possibly missing firmware for module: ipw2200
==> WARNING: Possibly missing firmware for module: mt7603e
-> Running build hook: [dropbear]
Generating dss host key for dropbear ...
Unknown key type 'dss'
Usage: /usr/sbin/dropbearkey -t <type> -f <filename> [-s bits]
-t type Type of key to generate. One of:
rsa
ecdsa
ed25519
-f filename Use filename for the secret key.
~/.ssh/id_dropbear is recommended for client keys.
-s bits Key size in bits, should be a multiple of 8 (optional)
ECDSA has sizes 256 384 521
Ed25519 has a fixed size of 256 bits
-y Just print the publickey and fingerprint for the
private key in <filename>.
dropbear_rsa_host_key : sha1!! a1:7b:17:e0:43:2e:2c:d2:8e:d3:17:21:15:fb:45:4a:7f:7e:96:57
dropbear_ecdsa_host_key : sha1!! 14:7e:96:5c:1d:8e:60:bd:fb:70:21:93:d5:c7:1e:71:85:49:02:ef
-> Running build hook: [encryptssh]
-> Running build hook: [filesystems]
-> Running build hook: [keyboard]
-> Running build hook: [fsck]
==> Generating module dependencies
==> Creating gzip-compressed initcpio image: /boot/initramfs-linux-fallback.img
bsdtar: Failed to set default locale
bsdtar: Failed to set default locale
==> Image generation successful
Unknown host QEMU_IFLA type: 54
Unknown host QEMU_IFLA type: 54
WARNING: Device /dev/mmcblk1p3 already contains a 'crypto_LUKS' superblock signature.
Existing 'crypto_LUKS' superblock signature (offset: 0 bytes) on device /dev/mmcblk1p3 will be wiped.
Existing 'crypto_LUKS' superblock signature (offset: 16384 bytes) on device /dev/mmcblk1p3 will be wiped.
Key slot 0 created.
Command successful.
Unknown host QEMU_IFLA type: 54
Unknown host QEMU_IFLA type: 54
Key slot 0 unlocked.
Command successful.
mke2fs 1.45.6 (20-Mar-2020)
Creating filesystem with 14724352 4k blocks and 3686400 inodes
Filesystem UUID: da0071a7-ef0d-4051-9461-145add2be871
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736, 1605632, 2654208,
4096000, 7962624, 11239424
Allocating group tables: done
Writing inode tables: done
Creating journal (65536 blocks): done
Writing superblocks and filesystem accounting information: done
1,924,493,579 99% 5.42MB/s 0:05:38 (xfr#32483, to-chk=0/43361)
'/mnt/etc/fstab' -> '/mnt/etc/fstab.1601472644.rescue'
Content of /mnt/etc/fstab:# Static information about the filesystems.
# See fstab(5) for details.
# <file system> <dir> <type> <options> <dump> <pass>
/dev/mmcblk0p1 /boot vfat defaults 0 0
/dev/mapper/root / ext4 defaults,noatime 0 1
'/mnt/etc/crypttab' -> '/mnt/etc/crypttab.1601472644.rescue'
Content of /mnt/etc/crypttab:# Configuration for encrypted block devices.
# See crypttab(5) for details.
# NOTE: Do not list your root (/) partition here, it must be set up
# beforehand by the initramfs (/etc/mkinitcpio.conf).
# <name> <device> <password> <options>
# home UUID=b8ad5c18-f445-495d-9095-c9ec4f9d2f37 /etc/mypassword1
# data1 /dev/sda3 /etc/mypassword2
# data2 /dev/sda5 /etc/cryptfs.key
# swap /dev/sdx4 /dev/urandom swap,cipher=aes-cbc-essiv:sha256,size=256
# vol /dev/sdb7 none
root /dev/mmcblk1p3 none luks
'/boot/boot.txt' -> '/boot/boot.txt.1601472644.rescue'
Content of /boot/boot.txt:# After modifying, run ./mkscr
# Set root partition to the second partition of boot device
setenv bootargs console=ttyS1,115200 console=tty0 ip=::::home-server:eth0:dhcp cryptdevice=/dev/mmcblk1p3:root root=/dev/mapper/root rw rootwait smsc95xx.macaddr="${usbethaddr}"
if load ${devtype} ${devnum}:${bootpart} ${kernel_addr_r} /Image; then
if load ${devtype} ${devnum}:${bootpart} ${fdt_addr_r} /dtbs/${fdtfile}; then
if load ${devtype} ${devnum}:${bootpart} ${ramdisk_addr_r} /initramfs-linux.img; then
booti ${kernel_addr_r} ${ramdisk_addr_r}:${filesize} ${fdt_addr_r};
else
booti ${kernel_addr_r} - ${fdt_addr_r};
fi;
fi;
fi
Image Name: U-Boot boot script
Created: Wed Sep 30 13:43:18 2020
Image Type: ARM Linux Script (uncompressed)
Data Size: 668 Bytes = 0.65 KiB = 0.00 MiB
Load Address: 00000000
Entry Point: 00000000
Contents:
Image 0: 660 Bytes = 0.64 KiB = 0.00 MiB
Unknown host QEMU_IFLA type: 54
Unknown host QEMU_IFLA type: 54
Command successful.
Nach dem einsetzen der SD-Karte in den Raspberry Pi und dem Versuch das System via SSH zu erreichen erhalte ich folgende Fehlermeldung:
ssh root@192.168.178.61
cat: can't open '/.cryptdev': No such file or directory
Command requires device and mapped name as arguments.
Connection to 192.168.178.61 closed.
Leider ist mir nicht klar, was diesen Fehler erzeugt :/ Ich hoffe nun darauf, dass mir hier jemand weiterhelfen kann 😉
Lg 🙂